Internet Banking News

October 7, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - ProfitStars (a division of Jack Henry & Associates, Inc.) today announced the acquisition of Texas-based AudioTel Corporation. AudioTel supports more than 1,000 financial institutions with back-office and retail banking solutions. http://www.symitar.com/?P=ED4DC9EF-1F44-4D30-B3D7-0457878184CA&N=b0eb1e90-138c-4407-8880-f2a75cacb44b

FYI - Bajinder Paul Named Chief Information Officer at the OCC - Comptroller of the Currency John C. Dugan announced today that he has named Bajinder Paul to be the Office of the Comptroller of the Currency's next Chief Information Officer. www.occ.treas.gov/ftp/release/2007-103.htm

FYI - Connecticut Sues Consultant, Accenture, Over Lost Data - The state is suing for illegal negligence and breach of contract, but Accenture says the matter was a mistake based on human error. The State of Connecticut is suing its own computer consultant, Accenture, for losing personally identifying information on 58 residents and hundreds of state bank accounts and purchasing cards. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807932

FYI - Lawmaker seeks probe of possible cyberattacks at DHS - A top homeland security lawmaker has called for an investigation into possible cyber attacks on computer systems at the Homeland Security Department. http://www.govexec.com/story_page.cfm?articleid=38112&dcn=todaysnews

FYI - Confidential data on hard drives turning up - Sensitive information retrieved included salary details, financial data of specific companies and credit card numbers - Hard drives full of confidential data are still turning up on the second-hand market, researchers have reported. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038221&source=rss_topic17

FYI - Fewer Companies Suffer Security Breaches, But They're Much More Severe - A CompTIA study also showed that one in four companies surveyed indicated that they have had an insider security breach or threat in the last year. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202100132

FYI - GAO - Veterans Affairs: Sustained Management Commitment and Oversight Are Essential to Completing Information Technology Realignment and Strengthening Information Security.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-1264T
Highlights - http://www.gao.gov/highlights/d071264thigh.pdf

MISSING COMPUTERS/DATA

FYI - Hackers steal server log-ins from hosting vendor - Layered Technologies' database breached, 6,000 customers' servers compromised - Server hosting vendor Layered Technologies Inc. admitted this week that hackers broke into its support database and made off with as many as 6,000 client records, including log-in information that could give criminals access to clients' servers. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038040&source=rss_topic17

FYI - Sensitive patient data stolen from nursing building - 'U' stresses timely reporting of theft - Since 8,585 tapes were stolen from the School of Nursing two weeks ago - the third data theft in the last year - University officials are stressing the importance of protecting against data theft.
http://media.www.michigandaily.com/media/storage/paper851/news/2007/09/19/Crime/Sensitive.Patient.Data.Stolen.From.Nursing.Building-2977434.shtml
http://blog.mlive.com/annarbornews/2007/09/tapes_containing_patient_recor.html

FYI - Security team hit by electronic smear campaign - A team of volunteers formed to help combat cybercrime has been subjected to an attack which has attempted to undermine its reputation. http://news.zdnet.co.uk/security/0,1000000189,39289509,00.htm

FYI - ABN Amro customer deets tip up on BearShare - Social security numbers and other sensitive information belonging to more than 5,000 customers of ABN Amro Mortgage Group have been leaked onto the BearShare file-sharing network by a former employee, according to news reports. http://www.theregister.co.uk/2007/09/21/abn_amro_leak_on_bearshare/print.html

FYI - Laptop with child welfare information stolen - Officials with the state's child welfare agency say a laptop computer with private information on 41 cases has been stolen. The laptop computer with personal information about state Department of Children and Families clients in Northwest Connecticut was stolen from a car.
http://www.wtnh.com/Global/story.asp?S=7108487
http://www.courant.com/news/local/hc-ctaplaptop0922.artsep22,0,924626.story

FYI - June Ohio data breach affects Minnesota county employees - Add 562 current or former employees of Ramsey County, Minn., to the list of victims of the June data breach that affected 1.3 million Ohio residents and hundreds of Connecticut state bank accounts. http://www.scmagazineus.com/June-Ohio-data-breach-affects-Minnesota-county-employees/article/35835/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 9 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements. Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Utilization of the Internet presents numerous issues and risks which must be addressed. While many aspects of system performance will present additional challenges to the bank, some will be beyond the bank's control. The reliability of the Internet continues to improve, but situations including delayed or misdirected transmissions and operating problems involving Internet Service Providers (ISPs) could also have an effect on related aspects of the bank's business.

The risks will not remain static. As technologies evolve, security controls will improve; however, so will the tools and methods used by others to compromise data and systems. Comprehensive security controls must not only be implemented, but also updated to guard against current and emerging threats. Security controls that address the risks will be presented over the next few weeks.

SECURITY MEASURES

The FDIC paper discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.

Encryption, Digital Signatures, and Certificate Authorities

Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity. Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation. Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication. The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities. The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.

Return to the top of the newsletter

IT SECURITY QUESTION: Internal controls and procedures: (Part 1 of 2)

a. Are output reports satisfactory for employees to perform their respective duties?
b. Are output reports satisfactory for management?
c. Are output reports satisfactory for auditing purposes?
d. Are there satisfactory user procedures?
e. Is there separation of duties for input preparation and balancing?
f. Is there separation of duties for data entry?
g. Is there separation of duties for operation of the computer system?
h. Is there separation of duties for handling rejected items for reentry?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1) Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a. Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.

B. Presentation, Content, and Delivery of Privacy Notices

1) Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices:

a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));

b. Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information (§6).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a) Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (§9) and accessibility of or ability to retain the notice (§9(e)).